Question about Netstat

I'm exhausted just reading the list!

Well there *is* a way that the connection can't be listed... its fairly insidious, and in fact, it's an area of computer security that most people don't know much about.

They're called rootkits.. and simplistically, they're nothing more than backdoors.. however these backdoors don't run in what's called userland (where all your *user* programs run), they run at the same level as a device driver.. in other words with the kernel, in what is known as ring-0.

When netstat asks the kernel for information regarding open ports, the rootkit can intercept that request, and remove itself from the list... it can do the same for when you do a file listing in a directory.. or a process listing.

In other words, how do you trust the kernel when the kernel lies ?

Even scarier -- it should be technically possible to have a rootkit that writes itself to an EEPROM like on an ethernet card.. so even if you completely format your system, it will still remain


www.rootkit.com for more information.

Oh, and don't try and play around with these babies unless you *really* know what you're doing (read that as -- know how to write device drivers), because you could seriously hurt yourself.

Cheers,

You're scary smart Sahir. It's amazing how much there is to computing and it's security. I definitely know now that I need to get to studying operating systems.

Wow, wealth of information right from the horse's mouth.

Well, that sounds scary, i hope there are no viruses already out there which write themselves to your network card :lol:

But that was something really new to me.

Thanks sahirh ...

Heres a book worth reading on the subject. I'm linking to a sample chapter.

www.securityfocus.com/excerpts/10/1

Very interesting sample, this book is high on my list of future purchases.